Ubisecure SSO 8.x.x
Ubisecure SSO 8.3.0
...
New Features
- IDS-270: Password Reset - A new web application for resetting a forgotten password.
- More information in the documentation.
- IDS-639: Support for Swedish BankID via external Authentication Adapter using Ubisecure Backchannel Authentication Adapter (UBAA) Authentication Method.
- Installing the Ubisecure Backchannel Authentication Adapter Authentication Method is described here
- SSO Management Console supports configuration by providing new method type Backchannel Authentication Adapter
- Installing the Ubisecure Backchannel Authentication Adapter Authentication Method is described here
Impovements
- IDS-963: The LDAP search for finding a ubiloginAuthMapping entry in the Ubilogin Directory, that is performed each time a user is authenticated, consumes less resources
- IDS-78: LDAPS support for SSO install.sh, export.sh and import.sh
- IDS-388: The default font size for error messages is increased from 0.8em to 1.1em
...
- IDS-60: Disabled users cannot log in to applications with accounts that are linked by User Driven Federation.
- When a user authenticates with a federated identity and a matching local account is returned by a FederationManager implementation (i.e. CIDFederationManager or UbiloginFederationTable), the local account status is now verified and the access is denied if the status is not valid.
- The workaround fix Preventing disabled users from logging in with user driven federation as described in the page User driven federation is not needed anymore.
- IDS-1014: SSO management doesn't disclose the client_secret for OAuth2 application agents
- When uploading a client metadata to an OAuth 2.0 application agent using the SSO Management Console, if the metadata contains a
client_secret
, theclient_secret
is now removed before storing the metadata in the agent configuration in Ubilogin Directory.- Prior to 8.3, the
client_secret
was not removed, but stored as is in the agent configuration in Ubilogin Directory.
- Prior to 8.3, the
- Furthermore, even if the
client_secret
has already been stored in the agent configuration, as may be the case for agents that have already been activated prior to SSO 8.3, theclient_secret
will now not be shown in the SSO Management Console nor in the SSO Management API.- Prior to 8.3, the
client_secret
, if set in the client metadata, was shown in SSO Management Console.
- Prior to 8.3, the
- When uploading a client metadata to an OAuth 2.0 application agent using the SSO Management Console, if the metadata contains a
- IDS-1052: OTP lists for UbiloginDirectory users created from SSO Management Console are not invalid randomly
- IDS-945: Execute flag is set for the bash scripts in the Linux version
- IDS-723: The SMTP message that is sent by SMTP OTP method sets the Date header as specified in RFC 822
- IDS-821: Some errors (such as LDAP read timeout) during password/reset don't deactivate the servlet that catches it
- IDS-437: Main Class in the MANIFEST.MF of sso-pkipolicy.jar is correct
- IDS-1074: Linux version: OpenLDAP installation script (ldap/openldap/install.sh) doesn't show an unnecessary error message ldap_modify: No such attribute (16)
Ubisecure SSO 8.3.0-RC1
New Features
...
Ubisecure SSO 8.2.25-1
Corrections
...
Ubisecure SSO 8.1.1 (26.4.2017)
New Features
- IAM-2320: Tupas IDP: If A01Y_RETLINK contains query part, the query part is now included also in the tupas response.
...
Ubisecure SSO 8.1.0 (28.3.2017)
New Features
- IAM-1374: SSO support for wreply and wfresh paraneters in WS-Federation
- IAM-2019: SSO support for wauth and whr parameters in WS-Federation
- IAM-1352: SSO Management API - New functionality to add/remove/modify users
- IAM-1457: SSO Management API - New functionality to create mapping configuration (persistentId, refreshtokenPolicy)
- IAM-1735: Sms-mt-otp and smtp-otp grant, added error description to Error Response explaining the error situation
- IAM-1907: OTP Timout for Sms-mt-otp and smtp-otp grant,is now configurable in minutes. By default, there is no timeout.
- IAM-2073: TUPAS IDP A01Y_RETLINK parameter allows ignoring of query parameters from the URL(s)
- IAM-2110: Type and attribute names in SSO Management API calls for input are now case in-sensitive. Type and attribute names in responses are now in CamelCase.
- IAM-2204: Java updated to version jdk-8u121
- IAM-2197: Tomcat updated to version 8.0.42
...
Ubisecure SSO 8.0.0 (25.11.2016)
New Features
- IAM-1320: SSO Server acts as a TUPAS IDP
- IAM-1478: PCR generation - an option to use new kind of UUID format as specified in RFC 4112[9]
- IAM-1493: It is now possible to prevent SSO on server side by using agent setting (using either Forceauthn, oneTimeUse or both parameters)
- IAM-1736: New Ubisecure look and feel to SSO
- IAM-1770: New tomcat version 8.0.38
...
Ubisecure SSO 7.7.1 (3.10.2016)
New Features
- IAM-1506: SSO authorization policy can decrypt values
...
Ubisecure SSO 7.7.0 (26.08.2016)
New Features
- IAM-1032: OpenID Provider Metadata, tokeninfo_endpoint replaced with introspection_endpoint (RFC 7662)
- IAM-1384: Token Introspection updates for RFC 7662
- IAM-1066: MPKI login screen can be configured so that it does not ask a spam code and tries automatically to login if mobile connect crypted loginhint is provided.
- IAM-1451: OAuth2 and SAML2 metadata agent logo, based on locale, can be set visible in the login screen, with or without the default SSO logo
- IAM-1474: SSO openldap version upgrade to openldap-2.4.44 (OpenLDAP is now compiled without DDS overlay and with both BDB (default) and new MDB backends)
...
Ubisecure SSO 7.6.0 (29.05.2016)
New Features
- IAM-712: OAuth 2.0 Token Revocation (RFC 7009).
- IAM-1124: SAML Profile for OAuth 2.0 Authorization Grants (RFC 7522)
- IAM-1354: SSO Management API new functionality to allow Relying Party specified client_id and secret for OAuth2 metadata (RFC-7591 Dynamic client registration protocol)
- IAM-1364: OAuth2 and SAML2 metadata client name can be set visible in the login screen, id addition, or to replace to current hostname
- IAM-1365: SSO Login screen templates can contain also javascript resources
- IAM-1366: Username in login screen cannot be changed if mobile connect login_hint is encrypted (ENCR_MSISDN)
- IAM-1384: Oauth2 Token Introspection token_type supports refresh_token
- IAM-1448: OAuth2 OpenID Provider Metadata changes, tokeninfo_endpoint is replaced with introspection_endpoint. Note that tokeninfo_endpoint and /uas/oauth2/tokeninfo are deprecated (will be removed in the version after 7.6)
- IAM-1395: SSO can return grant type and refresh token create time to application using authorization policy
- IAM-1428: AuthnStatementSessionNotOnOrAfter interop flag to leave SessionNotOnOrAfter unassigned in SAML2 response
- IAM-1403: OpenID Connect idtoken contains azp attribute in Mobile Connect
- IAM-1404: OAuth2 idtoken attribute aud is now always array to fully support Mobile Connect
- IAM-1406: OAuth2 authorization endpoint error page now sets http status 400 to indicate error condition (Does not return user to relying party)
...
Ubisecure SSO 7.5.0 (26.02.2016)
New Features
- IAM-5: OAuth2-extension for confirming Email and Phone number
- IAM-823: SSO Management REST API Phase 1
- IAM-873: Compability flag SendAssertionConsumerServiceURL for sending AssertionConsumerServiceURL in SAML-AuthnRequest
- IAM-1170: New compabilityflag ExplicitUnspecifiedAuthnContextClassRef for sending authnContextClassRef in SAML-response
- IAM-941: OTP server support for external SQL user database
- IAM-1060: Unregistered SMS OTP Authentication method
- IAM-1208: Unregistered SMTP OTP Authentication method
- IAM-1147: Login_hint now works also with unregistered authentication methods (unregistered MPKI, SMS and SMTP)
- IAM-1253: SSO Management UI to GlobalSign branding
- IAM-1296: OAuth request scope now ignored as long as the correct scope in use is returned in Token Endpoint response
- IAM-1297: Only password, authorization_code and refresh_token are allowed OAuth grant_types By default.
- IAM-1295: Template property useloginhint for showing OAuth2 login_hint in SSO
- IAM-1294: Support for Mobile Connect encrypted login_hint with prefix ENCR_MSISDN
...
Ubisecure SSO 7.4.0 (27.11.2015)
New Features
- IAM-805: Upgrade SSO JVM to Java 8
- IAM-884: SSO Tomcat updated, version 8.0.27
- IAM-910: OpenID Connect/Mobile Connect Identity Provider
- IAM-966: Support multivalue SAML2 AuthnContextClassRef in methods
- IAM-995: updated OpenSSL version to 1.0.1p, used by OpenLDAP in linux installations
...